Overview

overview

10

Static

static

10

241024-stz...ed.zip

windows10-ltsc 2021-x64

7

241024-stz...ed.zip

windows11-21h2-x64

1

Analysis

  • max time kernel
    107s
  • max time network
    108s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-02-2025 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    241024-stz9xs1cjb_pw_infected.zip

  • Size

    19.7MB

  • MD5

    3fea37277128d6e625b7b494e92908b5

  • SHA1

    3c8ea15887abbcb776159fa2fad756ceb7e4f6b2

  • SHA256

    a56db9cc79a61d8d591d61586036e262ef2b478b544296b322d8fbbfe9afb1cb

  • SHA512

    ab60c992b6f1682b694b7cead2dfcd776e3cf8b9c130ab868bf5099841ab475a3373d269400ca3ef8f06b164b6c454e2c4d7c9770139cad619794d9811a1b2df

  • SSDEEP

    393216:+bxyJ1JWSI9pMqXV6MYgX51E4u3CzFal/tlFiVKByZkJrmEMv/FApuiSLIqmAw:A8zJWSI9+WkcI4hzFMljJrLGtOacqmAw

Score
7/10
discoveryvmprotect

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\241024-stz9xs1cjb_pw_infected.zip
    1⤵
      PID:2960
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1648
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241024-stz9xs1cjb_pw_infected.zip"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4500
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:4756
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker.rar"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:476
      • C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\XWorm V5.6.exe
        "C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\XWorm V5.6.exe"
        1⤵
        • Executes dropped EXE
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/necrowolf_coder
          2⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x120,0x154,0x7ffbb97746f8,0x7ffbb9774708,0x7ffbb9774718
            3⤵
              PID:1500
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3680277403674737261,17256932344056831351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
              3⤵
                PID:4896
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3680277403674737261,17256932344056831351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3140
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3680277403674737261,17256932344056831351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
                3⤵
                  PID:3196
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3680277403674737261,17256932344056831351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
                  3⤵
                    PID:3664
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3680277403674737261,17256932344056831351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
                    3⤵
                      PID:2444
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3680277403674737261,17256932344056831351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
                      3⤵
                        PID:3620
                  • C:\Windows\system32\wbem\WmiApSrv.exe
                    C:\Windows\system32\wbem\WmiApSrv.exe
                    1⤵
                      PID:1596
                    • C:\Windows\system32\AUDIODG.EXE
                      C:\Windows\system32\AUDIODG.EXE 0x504 0x4dc
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1648
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:3672
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3204

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          8114c8477a121c9aa4f577ebe753f277

                          SHA1

                          379db86efc023e0caf2cc4219edc6a7893bca450

                          SHA256

                          90550a45ff1e8b1f718ffcda740d3701bde2c12ffa9b163ab712632134d1bd3a

                          SHA512

                          76bfa7fe925a6965a95caf8a7cc33ca2e1360cc4ebb60209aa3beef668fbe2e7e8d083c9231319f79db0f9c86c131af0c302a176afd13262ca51db72528c4e55

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                          Filesize

                          72B

                          MD5

                          5905f11c6889e76456390e814e9336e7

                          SHA1

                          edd551d8030409b7f823ae90fcbcee6e2e4f55e3

                          SHA256

                          3806517220d2d22ee2e9591e7ff885ae40b5d27aaceae0b5969f1e0f9a684572

                          SHA512

                          33a84ee563e5e0e8538ec02dc8c1b28e1d2c5bf8f2fbbc24ce6e2cb0ab12d095ffe2bb1f380970598bfdd5a43afee9bad8a94ee0f37e6f68f05b74f31fbf2bc8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                          Filesize

                          242B

                          MD5

                          e384a795d1e597feb0a5bebd13dcde50

                          SHA1

                          7ce66637789b61ae163c1de62dc996a99cdef796

                          SHA256

                          42a6ef02d02be95231cee980c97d4398ac167e7264a5cf838b3e3a2ad2a3380b

                          SHA512

                          36f58ca4b73ed5fdfd9b2557d09203189dc9cb3db29ee9716f89bb75a8f6d1c32cca67e597dfefb3b9074be0a024ba51ff40d8024439ccbb16d17316abc2215c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          4f5cbd3f0734c947573176d0915e2c33

                          SHA1

                          60adcc2522ca89b42f2bd0afbffd6e03a4939c9b

                          SHA256

                          879c6adb5f50b193cb5ae97f851681799219eb9a68af83511d4d07daf820c023

                          SHA512

                          ba289521e580248fc08477814b9d158c0f302e1ce3a046ea1414b5f714618375c8af5f3040a2f7766dc1e52173c710a06e939f380675be0ab19cdc0579e9f126

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          5KB

                          MD5

                          ff31b77ef3b766a31b4f775ac5de9717

                          SHA1

                          ffe3ad53666364e72da6528f71eb1ea1418959c9

                          SHA256

                          8b5b76a7895661fc35f36a67448968866f4fbd2be4270d1abd68230bfaaa4b40

                          SHA512

                          ecd3a18355f7b7b8fe63ae96855e9291948da48703c417f152023c918218d99e94eba50736a9a2ce43388b602a21241a5d12404a645999b87eac11a39cd867e1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c6ab40a3-4fb4-4f40-b487-0527dcf99a4e.tmp
                          Filesize

                          24KB

                          MD5

                          8db1cde06af2415dcd094ec11ba53d93

                          SHA1

                          67715f882d0af418dda51ccaa4c85b5454ab3d19

                          SHA256

                          226baa1c600bf566cb2307dee4d0bd8185d4445b02d38a8f44df77268df5af9d

                          SHA512

                          f576a95d651bcea4f985e26f3c6db6eb1bed51931883727cf1dd1e2ab6e77bb217e764c9fcb71936b4fd75003328c9d5e4d72e380ba216d51d7e8635941ef28b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          10KB

                          MD5

                          fc9c4e558245b3fba5dc016d9ed11d45

                          SHA1

                          21c1b7c1a87f71b60216bdeb3da1223dea5162c1

                          SHA256

                          8f83a007a84110057911cdb45c2f1363a25447c6179c07918a7b531f350493c8

                          SHA512

                          928fb620fb70c1077d6db2b559e62a56ba9e87321bb9776e0f403a8e5db9fa210bb8fbfbd45ba587b7801bbd6533e9ea8a50055b86190336e88de49840785ebf

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\7zECD1A4F78\@Cybnux_XWorm_v5.6_Cracker\Icons\icon (15).ico
                          Filesize

                          361KB

                          MD5

                          e3143e8c70427a56dac73a808cba0c79

                          SHA1

                          63556c7ad9e778d5bd9092f834b5cc751e419d16

                          SHA256

                          b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

                          SHA512

                          74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

                          Download Submit

                        • C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker.rar
                          Filesize

                          19.7MB

                          MD5

                          0b87bf0a97079e39453d580707339f8d

                          SHA1

                          e6cc2b04766f9942c90caba2046bfbd936210d2b

                          SHA256

                          17ff9f594f93a70b84c110c94e0341d2385260642e4f036cf2fda381c66be4ba

                          SHA512

                          514c4ee3c37e4f1d92e8ba980c1d64cfd8b2bcb4b5daecffa527bd43850a9bac737e362244bda78970b3d044bca51ebc9ad95bfc868a9808dd44c965913ca2bb

                          Download Submit

                        • C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\GeoIP.dat
                          Filesize

                          1.2MB

                          MD5

                          8ef41798df108ce9bd41382c9721b1c9

                          SHA1

                          1e6227635a12039f4d380531b032bf773f0e6de0

                          SHA256

                          bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

                          SHA512

                          4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

                          Download Submit

                        • C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\Guna.UI2.dll
                          Filesize

                          1.9MB

                          MD5

                          bcc0fe2b28edd2da651388f84599059b

                          SHA1

                          44d7756708aafa08730ca9dbdc01091790940a4f

                          SHA256

                          c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

                          SHA512

                          3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

                          Download Submit

                        • C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\Sounds\Intro.wav
                          Filesize

                          238KB

                          MD5

                          ad3b4fae17bcabc254df49f5e76b87a6

                          SHA1

                          1683ff029eebaffdc7a4827827da7bb361c8747e

                          SHA256

                          e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

                          SHA512

                          3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

                          Download Submit

                        • C:\Users\Admin\Desktop\@Cybnux_XWorm_v5.6_Cracker\XWorm V5.6.exe
                          Filesize

                          17.9MB

                          MD5

                          49f6c848fc3b1f32ed96b08bca221e53

                          SHA1

                          0c1da68ae22f31f61ded840a42515793e1432a24

                          SHA256

                          7926286cb142cc3d2511cde859dc78ea4d9a26b5007c80bc33879fc3e5800c0c

                          SHA512

                          1cb5fea83ccecf175ec1ed6e381bf09f915115458869f05ebdbfbd2a92b6ec41f0a5d004e0bf74a80ccc68491554bb7df95d10242f22ce1429a2bcff124b5ba1

                          Download Submit

                        • memory/3572-147-0x000002BB33510000-0x000002BB33704000-memory.dmp

                          Filesize

                          2.0MB

                          Download

                        • memory/3572-145-0x000002BB15430000-0x000002BB1733E000-memory.dmp

                          Filesize

                          31.1MB

                          Download